Updated: Aug 8
Your Building Management Systems (BMS) are handling many important functions – such as lighting, energy management, digital signage, HVAC, security cameras, parking systems, and more. But do you know if they are connected to the internet, allow remote access for management, are behind a firewall or are patched? Threat actors in today’s continuously changing and adapting environments do – making them a target.
Using publicly available search engines known for indexing Internet-connected devices, over 35,000 BMS devices using a mix of common building automation protocols were found to be connected and accessible from the internet. Some recent malware, such as Silex, are actively attacking IoT systems, some of which are in your buildings. Additionally, according to a report published in September, 2021 by Sumo Logic, cyber crime costs have grown 15% per year annually over the last 5 years with the average cost of a data breach being $4.62 million.
Given the thin margins in commercial real estate, a cyber security incident can have real consequences for profitability at the property level – and possibly the portfolio level. So, what can you do to protect your company and investments? Here are six actions to implement as part of your cyber security strategy to mitigate cyber security risks to your Building Management Systems.
1) Enact effective Policies and Procedures and make sure your employees and vendors understand and follow them. A security awareness program, driven from the top of your organization, is a must for companies of any size. Without the right cyber training, employees may unknowingly be the weakest layer in your BMS security strategy. Even if your company is small, companies such as 5Q and our Cyber team can provide fractional CISO services.
2) Never allow your BMS to be reachable directly from the internet. If vendor or engineer remote access is required to administer or monitor your building devices, consider using an encrypted VPN connection with Multi-Factor Authentication.
3) Change the default usernames and passwords. This should not have to be said, but cyber security assessments performed by 5Q routinely identify default, weak or shared passwords on BMS Systems. Make sure to change default usernames and passwords to new, secure configurations.
4) Ensure your systems are up to date with the most recent security patches. BMS software applications, the operating systems they are installed to and the network infrastructure they run across all need to be up to date on security patches and have secure configurations. A compromise to one system can allow access to another.
5) Perform periodic vulnerability assessments. A key element to protecting your assets is to understand what your risks are and decide how to mitigate them. An inexpensive remediation of existing vulnerabilities can prevent an expensive recovery from a cyber security incident.
6) Monitor your BMS networks. Monitoring allows management and building engineers alike to know what you have, how it is (or is not) working and if it changes. It can also allow a more effective detection and response, should an incident occur.
5Q Cyber, 5Q’s cyber security team, helps companies with Building Cyber Security by providing the full spectrum of managed cyber security services to the real estate industry, from building security assessments/remediation and a cloud-based 24/7 Security Operations Center to fractional Chief Security Officer strategic and advisory services.
If you need help implementing these six steps or have other cyber security questions, contact us at email@example.com.